A blog about Cyber Security & Compliance

This is a contributed piece by Brian Pennington, regional sales director, EMEA for Coalfire

From financial institutions such as Tesco Bank to tenured technology giants like Yahoo, it seems that no one is impervious to the mounting sophistications of cyber attacks. And in the case of the latter, these attacks pose more of a threat than just the compromising of user data. As a result, businesses need to seriously think about the hidden issues that a cyber-security breach can cause to a merger and acquisition (M&A) deal.

2016 was a big year for cybersecurity. From discussions pertaining to foreign infiltration in the US election to some of the largest scale cyber attacks ever witnessed, questions around the global state of cybersecurity dominated the media. As a result, there are increasing needs, demands and pressures for purchasing companies in M&A deals to calculate and identify cybersecurity weaknesses and breaches in the companies they intend to buy.

With so many moving parts involved in a large scale M&A; it is easy to overlook the cyber security element. With contracts, staffing, and a lot of legal frameworks to be worked through, cyber security can quickly fall down the list of priorities. This though can be a big flaw, as once a data breach is found – even if it took place years before an acquisition was even planned – the purchasing company can be held responsible and consequently suffer the penalties and charges that come from this.

These ticking time bombs can then go off, wiping millions or even billions off the value of an acquisition. For those that have spent time engineering the deal, it can turn a career defining moment into a nightmare. Having completed the deal, the people that should have been held accountable can, in fact, head off into the sunset, without needing to worry about what might happen next.

The modern-day M&A

One recent example of how a good deal can turn sour very quickly can be seen in Verizon’s deal to buy Yahoo. Having agreed to buy Yahoo for $4.8 billion, Verizon soon found out that all was not what it may have seemed as two large, successful and separate cyber attacks were announced to the public. With one billion accounts having been compromised in the largest of the attacks, Yahoo now has the unenviable title of suffering the largest cyber-attack ever recorded. Following this news, it was widely reported that Verizon may seek to have $1 billion removed from the sale price for Yahoo.

With large hacks such as these making headline news across the global, PR and marketing teams at Yahoo will be springing into action to save as much of the company’s reputation as possible. Having established itself as a world-renowned, and recognised internet brand, Yahoo is in serious danger of becoming synonymous with cyber hacks and data breaches.

The price you pay

Brand reputations are not the only area that can take a blow following a cyber-attack. The financial impact of a data breach can easily spiral into large sums of money, with some estimates placing the average cost to a company at $221 per stolen record in the US. If this applied to the smallest of Yahoo’s reported attacks the total would still be over $100 billion or close to the market capital of MasterCard! To make matters even worse, a company’s share price often nosedives after a breach, with the likes of TalkTalk taking a hit of 20% off its share price in the months after its widely broadcast cyber-attack. It is quite clear that forgoing cybersecurity checks can cost businesses billions financially and make a once priceless brand name, completely worthless.

So how can businesses empower and protect themselves from a cyber-attack when considering a potential M&A? Well there are three steps that can help protect the investment:

Audit potential breaches: Carrying out a risk audit of potential breaches, assessing both the societal and financial factors that might increase the likelihood of becoming a cyber-target will help M&A analysts calculate whether the eventual acquisition is cost effective.

Regulatory industry standards: Companies within certain industries are obliged to maintain a secure environment that will mitigate risk of cyber-attacks and protect user data. For instance, Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information do so in a secure fashion. Ensuring that potential purchases are compliant with these standards is essential in M&A deals.

Seek expert help: Cyber security systems are complex and require in-depth knowledge and understanding of how to navigate them safely and effectively; without compromising existing structures. It is therefore highly recommended that M&A analysts enlist the help of cybersecurity consultants to advise them on the suitability of a potential purchase.

Cyberpolitics and societal security

As cyber criminals and their crimes become ever more complex and dangerous, it is in the best interests of the purchasing company during an M&A to calculate and identify cyber security weaknesses and breaches in the business they intend to buy. Furthermore, brands need to start planning earlier in the M&A process to carry out a full cyber security due diligence investigation and report to assess the dangers of a hack. Carrying out a full cyber risk assessment as part of an M&A not only lessens the financial impact on a deal but also ensures that a business’s reputation remains intact too.

Next time you are planning an M&A it is vital to get the experts in to ensure there are no hidden surprises from large cyber attacks. Working with cybersecurity experts to assist the M&A department could truly be the difference between disaster and prosperity in years to come.